f1e0784bed2090080e78804cc98a701e4a179b62feda83e0e72ea0fe147990fb

General

Target

smart-defrag-setup.exe
Size

15.2MB
MD5

ca44a556e82943e117a158cd13b3270f
SHA1

cfb0427fe33eeb6a35a802380ecba05129174f89
SHA256

f1e0784bed2090080e78804cc98a701e4a179b62feda83e0e72ea0fe147990fb
SHA512

7f26e5e904c304a398c4062c50867fe25b1c9e4e3cc8b26df9d654aa788de3b7342a798aa28e4e30054cb09b462b1acbae03b7e495005ffc378b4ab4448dc336
SSDEEP

393216:qzNLub9JzlNaqvmIdXBGPpUxtcV1KPNtoS0LT/TONfSBlx84CeuzmWqp:AubjpSpUTCfT/TWqyzzmWqp

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2576	smart-defrag-setup.tmp
2272	Setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2112	smart-defrag-setup.exe
2576	smart-defrag-setup.tmp
2272	Setup.exe
2272	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smart-defrag-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smart-defrag-setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2272	Setup.exe
2272	Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2112 wrote to memory of 2576	2112	smart-defrag-setup.exe	30
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31
PID 2576 wrote to memory of 2272	2576	smart-defrag-setup.tmp	31

C:\Users\Admin\AppData\Local\Temp\smart-defrag-setup.exe
"C:\Users\Admin\AppData\Local\Temp\smart-defrag-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\is-3L5BV.tmp\smart-defrag-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3L5BV.tmp\smart-defrag-setup.tmp" /SL5="$4010A,15337863,139264,C:\Users\Admin\AppData\Local\Temp\smart-defrag-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\is-HH9M3.tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HH9M3.tmp\Setup.exe" "C:\Users\Admin\AppData\Local\Temp\smart-defrag-setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HH9M3.tmp\libcrypto-1_1.dll

Filesize
1.7MB

MD5
8d0618e4b9e598ce22d1561357850e8a

SHA1
f28a567669ddcac344230d13032f5f21775a9206

SHA256
105d76c2e3cdc43b60e73316186024e09962913ebd638701aa1b110931204e50

SHA512
288b12b7fd3f05ca82fd89739c8353b601e37b9119dcc4c25df124aa9cb1442f35782cec9f25ef8b2e41ecef1eef329d3e71335eac309bbf7357d2d0389ba2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HH9M3.tmp\libssl-1_1.dll

Filesize
355KB

MD5
12b13db0565a0af61ffd9cef26add254

SHA1
2f30e6c42e96631abe43fbd81cbc71a21a822b4f

SHA256
410e57cba652d22094adbbcaed127367155aaab37cb89ab2e4443c33b3da73f9

SHA512
0cf13e52ef875fe04821d9a35db44f209c9ab91af65e9e4f8f4c8a5e3219170f6d5d7569d4eb7f358030ff3b34f64f9f31075660063a0c5c4ac9e759f155e0a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-3L5BV.tmp\smart-defrag-setup.tmp

Filesize
1.2MB

MD5
f0c6c6aa5c0d2339d89791914d506589

SHA1
3943c60482800c23d9a168c83ca53cd7ef3cbbf1

SHA256
3e5cdad01aeb97c55acd031849c9aeab445a3d428bbb2774a9c6ab8f696f0e5e

SHA512
e96e2664114a2909b45ec9b67fa274fb9cf7df80a676245e76484597375a2d1a3395349853ce947d9997e451b899f79d63a9b24dd50ba424024314fb8db82edb

Download Submit
\Users\Admin\AppData\Local\Temp\is-HH9M3.tmp\Setup.exe

Filesize
4.3MB

MD5
daa4d62d6c3218ca0a17252459265b5f

SHA1
54a3b6df37d4cc16b94b0dec5bd1840f08543b1e

SHA256
d497108163328ce8225a9bfed7469ae7d7021f2bd36aededb3bc97e3bf358f76

SHA512
6a67032e9c0e2bc9e6b07a7cc451b8feb871fb301428e5425c281f0336f5c0e0bf3f6966db09a358ee9c08c242fd6e8f6ca8183b5c08f8f9ac1566fe748f71b0

Download Submit
memory/2112-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2112-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2112-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-46-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2576-8-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2576-21-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing